nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bryan Bende <bbe...@gmail.com>
Subject Re: unable to post updates api with user certificate.
Date Tue, 13 Aug 2019 13:47:24 GMT
Looks like you are using CompositeUserGroup provider which lets you combine
multiple user group providers.

The error message is saying the same user identity exists in more than one
of the user group providers which is not allowed.

The identity in the message looks like an LDAP user, so make sure you
didn't define that same user in the file user group provider.

On Tue, Aug 13, 2019 at 3:08 AM Felipe Garcia <felipe@garcia-lind.com>
wrote:

>
> Issue #1 - You should be able to specify an LDAP user as your initial
> admin, what is the error you get?
>
> Keep in mind it is case and white-space sensitive, and also depends on
> whether you are returning full DN or short name, it must match exactly.
>
> error
> Multiple UserGroupProviders claim to provide user
> uid=XXXXXX,cn=users,cn=accounts,dc=XXXX
>
> logfile
>
> 2019-08-13 16:49:40,976 INFO [NiFi Web Server-23]
> o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException:
> Multiple UserGroupProviders claim to provide user
> uid=612442779,cn=users,cn=accounts,dc=ace. Returning Conflict response.
>
> 2019-08-13 16:49:40,977 DEBUG [NiFi Web Server-23]
> o.a.n.w.a.c.IllegalStateExceptionMapper
>
> java.lang.IllegalStateException: Multiple UserGroupProviders claim to
> provide user uid=XXXXXX,cn=users,cn=accounts,dc=XXXX
>
>         at
> org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider.getUserAndGroups(CompositeConfigurableUserGroupProvider.java:195)
>
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>
>
>
> On Mon, Aug 5, 2019 at 10:38 PM Bryan Bende <bbende@gmail.com> wrote:
>
>> Hello,
>>
>> Issue #1 - You should be able to specify an LDAP user as your initial
>> admin, what is the error you get?
>>
>> Keep in mind it is case and white-space sensitive, and also depends on
>> whether you are returning full DN or short name, it must match exactly.
>>
>> Issue #2 - Since you are able to query the API with the client cert, it
>> seems like your cert is setup correctly.
>>
>> Is there an error in nifi-app.log or nifi-user.log when you try to modify
>> the policy? Can you modify policies through the UI without issues?
>>
>> Tokens are only issued for login methods that are based on username and
>> password, so it is expected behavior that you could not issue one for a
>> cert user.
>>
>> Thanks,
>>
>> Bryan
>>
>>
>> On Sun, Aug 4, 2019 at 8:30 PM Felipe Garcia <felipe@garcia-lind.com>
>> wrote:
>>
>>> Setup
>>>
>>>
>>> a cluster of a few nifi boxes
>>>
>>>
>>> setup to authenticate with LDAP
>>>
>>> users and groups in LDAP
>>>
>>>
>>> Issue 1: unable to specify an LDAP user as Initial User
>>>
>>>
>>> I have only been able to set up the cluster with a client certificate
>>> user.
>>>
>>>
>>> Issue 2: I am unable to use the API with the initial certificate user to
>>> add an LDAP group.
>>>
>>>
>>> I exported the cert and key into a usable format for curl
>>>
>>>
>>> *# open*ssl pkcs12 -in /opt/nifi-certs/CN\=admin_OU\=NIFI.p12  -out
>>> /opt/nifi-certs/CN\=admin_OU\=NIFI.key -nocerts -nodes
>>>
>>> *# open*ssl pkcs12 -export -in /opt/nifi-certs/CN\=admin_OU\=NIFI.p12
>>> -out /opt/nifi-certs/CN\=admin_OU\=NIFI.pem -clcerts -nokeys -passin
>>> 'changeme'
>>>
>>>
>>> I am able to query the API
>>>
>>>
>>> curl -k -X GET
>>> https://nifi01-sst140.dev.cloud.ace:9443/nifi-api/policies/read/flow --cert
>>> /opt/nifi-certs/CN=admin_OU=NIFI.pem --key
>>> /opt/nifi-certs/CN=admin_OU=NIFI.key --compressed
>>>
>>>
>>>
>>> But I am unable to change or add via the API
>>>
>>>
>>>  curl -k -X PUT -H 'Content-Type: application/json'
>>> https://nifi01-sst140.dev.cloud.ace:9443/nifi-api/policies/f99bccd1-a30e-3e4a-98a2-dbc708edc67f
--cert
>>> /opt/nifi-certs/CN=admin_OU=NIFI.pem --key
>>> /opt/nifi-certs/CN=admin_OU=NIFI.key -d @/tmp/newpolicy.json
>>>
>>> Unable to save Authorizations
>>>
>>>
>>>
>>> I cannot create a token for a cert user
>>>
>>>
>>> curl -k -X POST '
>>> https://nifi01-sst140.dev.cloud.ace:9443/nifi-api/access/token' -H
>>> 'Accept-Encoding: gzip, deflate, br' -H 'Content-Type:
>>> application/x-www-form-urlencoded; charset=UTF-8' -H 'Accept: */*' --cert
>>> /opt/nifi-certs/CN\=admin_OU\=NIFI.pem --key
>>> /opt/nifi-certs/CN\=admin_OU\=NIFI.key --compressed
>>>
>>> The username and password must be specified.
>>>
>>>

Mime
View raw message